|
@@ -1,6 +1,5 @@
|
|
|
//go:build ignore
|
|
//go:build ignore
|
|
|
#include "cw_vmlinux.h"
|
|
#include "cw_vmlinux.h"
|
|
|
-#include "kflowd.h"
|
|
|
|
|
|
|
|
|
|
// #include <bpf/bpf_core_read.h>
|
|
// #include <bpf/bpf_core_read.h>
|
|
|
// #include <bpf/bpf_helpers.h>
|
|
// #include <bpf/bpf_helpers.h>
|
|
@@ -8,6 +7,7 @@
|
|
|
// #include <bpf/bpf_endian.h>
|
|
// #include <bpf/bpf_endian.h>
|
|
|
#include "bpf_endian.h"
|
|
#include "bpf_endian.h"
|
|
|
#include "../common/bpf/bpf_core_read.h"
|
|
#include "../common/bpf/bpf_core_read.h"
|
|
|
|
|
+#include "kflowd.h"
|
|
|
|
|
|
|
|
// char LICENSE[] SEC("license") = "GPL v2";
|
|
// char LICENSE[] SEC("license") = "GPL v2";
|
|
|
// char _license[] SEC("license") = "GPL";
|
|
// char _license[] SEC("license") = "GPL";
|
|
@@ -34,11 +34,11 @@
|
|
|
|
|
|
|
|
#define MAX_QUEUE_SIZE 1024
|
|
#define MAX_QUEUE_SIZE 1024
|
|
|
|
|
|
|
|
-struct {
|
|
|
|
|
- __uint(type, BPF_MAP_TYPE_RINGBUF);
|
|
|
|
|
- __uint(max_entries, 1 << 24);
|
|
|
|
|
- // __type(value, struct RECORD_FS);
|
|
|
|
|
-} ringbuf_records SEC(".maps");
|
|
|
|
|
|
|
+// struct {
|
|
|
|
|
+// __uint(type, BPF_MAP_TYPE_RINGBUF);
|
|
|
|
|
+// __uint(max_entries, 1 << 24);
|
|
|
|
|
+// // __type(value, struct RECORD_FS);
|
|
|
|
|
+// } ringbuf_records SEC(".maps");
|
|
|
|
|
|
|
|
struct {
|
|
struct {
|
|
|
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
|
|
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
|
|
@@ -141,22 +141,22 @@ struct {
|
|
|
// })
|
|
// })
|
|
|
|
|
|
|
|
/* glabal variables shared with userspace */
|
|
/* glabal variables shared with userspace */
|
|
|
-const volatile __u64 ts_start;
|
|
|
|
|
-const volatile __u32 agg_events_max;
|
|
|
|
|
|
|
+// const volatile __u64 ts_start;
|
|
|
|
|
+// const volatile __u32 agg_events_max;
|
|
|
// const volatile __u32 agg_idle_timeout;
|
|
// const volatile __u32 agg_idle_timeout;
|
|
|
// const volatile __u32 agg_active_timeout;
|
|
// const volatile __u32 agg_active_timeout;
|
|
|
-const volatile __u16 output_udp_port[UDP_SERVER_MAX];
|
|
|
|
|
-const volatile __u16 app_proto[APP_MAX][APP_PORT_MAX];
|
|
|
|
|
-const volatile __u16 app_port[APP_MAX][APP_PORT_MAX];
|
|
|
|
|
-const volatile pid_t pid_self;
|
|
|
|
|
-const volatile pid_t pid_shell;
|
|
|
|
|
-volatile __u32 monitor = MONITOR_NONE;
|
|
|
|
|
|
|
+// const volatile __u16 output_udp_port[UDP_SERVER_MAX];
|
|
|
|
|
+// const volatile __u16 app_proto[APP_MAX][APP_PORT_MAX];
|
|
|
|
|
+// const volatile __u16 app_port[APP_MAX][APP_PORT_MAX];
|
|
|
|
|
+// const volatile pid_t pid_self;
|
|
|
|
|
+// const volatile pid_t pid_shell;
|
|
|
|
|
+// volatile __u32 monitor = MONITOR_NONE;
|
|
|
|
|
|
|
|
/* debug helpers for process debugging and kernel stack */
|
|
/* debug helpers for process debugging and kernel stack */
|
|
|
// static __always_inline void debug_dump_stack(void *, const char *);
|
|
// static __always_inline void debug_dump_stack(void *, const char *);
|
|
|
static __always_inline cw_net_bool debug_proc(char *, char *);
|
|
static __always_inline cw_net_bool debug_proc(char *, char *);
|
|
|
static __always_inline cw_net_bool debug_file_is_tp(char *);
|
|
static __always_inline cw_net_bool debug_file_is_tp(char *);
|
|
|
-const volatile char debug[DBG_LEN_MAX];
|
|
|
|
|
|
|
+// const volatile char debug[DBG_LEN_MAX];
|
|
|
|
|
|
|
|
/* submit tcp or udp socket record to ringbuffer */
|
|
/* submit tcp or udp socket record to ringbuffer */
|
|
|
static __always_inline int submit_sock_record(void* ctx, struct SOCK_INFO *sinfo) {
|
|
static __always_inline int submit_sock_record(void* ctx, struct SOCK_INFO *sinfo) {
|
|
@@ -217,6 +217,7 @@ static __always_inline int submit_sock_record(void* ctx, struct SOCK_INFO *sinfo
|
|
|
r->rx_packets_reorder = sinfo->rx_packets_reorder[1];
|
|
r->rx_packets_reorder = sinfo->rx_packets_reorder[1];
|
|
|
r->rx_packets_frag = sinfo->rx_packets_frag;
|
|
r->rx_packets_frag = sinfo->rx_packets_frag;
|
|
|
r->rx_events = sinfo->rx_events;
|
|
r->rx_events = sinfo->rx_events;
|
|
|
|
|
+#pragma unroll
|
|
|
for (cnt = 0; cnt < SOCK_FLAGS_MAX; cnt++) {
|
|
for (cnt = 0; cnt < SOCK_FLAGS_MAX; cnt++) {
|
|
|
r->rx_flags[cnt] = sinfo->rx_flags_map[cnt];
|
|
r->rx_flags[cnt] = sinfo->rx_flags_map[cnt];
|
|
|
r->rx_event[cnt] = sinfo->rx_event[cnt];
|
|
r->rx_event[cnt] = sinfo->rx_event[cnt];
|
|
@@ -234,6 +235,7 @@ static __always_inline int submit_sock_record(void* ctx, struct SOCK_INFO *sinfo
|
|
|
r->tx_packets_retrans = sinfo->tx_packets_retrans[1];
|
|
r->tx_packets_retrans = sinfo->tx_packets_retrans[1];
|
|
|
r->tx_packets_dups = sinfo->tx_packets_dups[1];
|
|
r->tx_packets_dups = sinfo->tx_packets_dups[1];
|
|
|
r->tx_events = sinfo->tx_events;
|
|
r->tx_events = sinfo->tx_events;
|
|
|
|
|
+#pragma unroll
|
|
|
for (cnt = 0; cnt < SOCK_FLAGS_MAX; cnt++) {
|
|
for (cnt = 0; cnt < SOCK_FLAGS_MAX; cnt++) {
|
|
|
r->tx_flags[cnt] = sinfo->tx_flags_map[cnt];
|
|
r->tx_flags[cnt] = sinfo->tx_flags_map[cnt];
|
|
|
r->tx_event[cnt] = sinfo->tx_event[cnt];
|
|
r->tx_event[cnt] = sinfo->tx_event[cnt];
|
|
@@ -256,6 +258,7 @@ static __always_inline int submit_sock_record(void* ctx, struct SOCK_INFO *sinfo
|
|
|
sinfo->rx_packets_drop[0] += r->rx_packets_drop;
|
|
sinfo->rx_packets_drop[0] += r->rx_packets_drop;
|
|
|
sinfo->rx_packets_reorder[0] += r->rx_packets_reorder;
|
|
sinfo->rx_packets_reorder[0] += r->rx_packets_reorder;
|
|
|
sinfo->rx_events = 0;
|
|
sinfo->rx_events = 0;
|
|
|
|
|
+#pragma unroll
|
|
|
for (cnt = 0; cnt < SOCK_FLAGS_MAX; cnt++) {
|
|
for (cnt = 0; cnt < SOCK_FLAGS_MAX; cnt++) {
|
|
|
sinfo->rx_flags_map[cnt] = 0;
|
|
sinfo->rx_flags_map[cnt] = 0;
|
|
|
sinfo->rx_event[cnt] = 0;
|
|
sinfo->rx_event[cnt] = 0;
|
|
@@ -269,6 +272,7 @@ static __always_inline int submit_sock_record(void* ctx, struct SOCK_INFO *sinfo
|
|
|
sinfo->tx_packets_retrans[0] += r->tx_packets_retrans;
|
|
sinfo->tx_packets_retrans[0] += r->tx_packets_retrans;
|
|
|
sinfo->tx_packets_dups[0] += r->tx_packets_dups;
|
|
sinfo->tx_packets_dups[0] += r->tx_packets_dups;
|
|
|
sinfo->tx_events = 0;
|
|
sinfo->tx_events = 0;
|
|
|
|
|
+#pragma unroll
|
|
|
for (cnt = 0; cnt < SOCK_FLAGS_MAX; cnt++) {
|
|
for (cnt = 0; cnt < SOCK_FLAGS_MAX; cnt++) {
|
|
|
sinfo->tx_flags_map[cnt] = 0;
|
|
sinfo->tx_flags_map[cnt] = 0;
|
|
|
sinfo->tx_event[cnt] = 0;
|
|
sinfo->tx_event[cnt] = 0;
|
|
@@ -326,6 +330,7 @@ static __always_inline void expire_sock_records(void* ctx) {
|
|
|
bpf_printk("EXPIRE_SOCK_RECORDS: %lu records in queue", qlen);
|
|
bpf_printk("EXPIRE_SOCK_RECORDS: %lu records in queue", qlen);
|
|
|
}
|
|
}
|
|
|
ts_now = bpf_ktime_get_ns();
|
|
ts_now = bpf_ktime_get_ns();
|
|
|
|
|
+#pragma unroll
|
|
|
for (cnt = 0; cnt < SOCK_EXP_MAX; cnt++) {
|
|
for (cnt = 0; cnt < SOCK_EXP_MAX; cnt++) {
|
|
|
if (s && cnt >= qlen)
|
|
if (s && cnt >= qlen)
|
|
|
break;
|
|
break;
|
|
@@ -448,25 +453,41 @@ static __always_inline int handle_tcp_event(void *ctx, const struct SOCK_EVENT_I
|
|
|
}
|
|
}
|
|
|
// TBD: consolidate
|
|
// TBD: consolidate
|
|
|
if (family == AF_INET) {
|
|
if (family == AF_INET) {
|
|
|
- bpf_probe_read_kernel(stuple->laddr, sizeof(args->saddr), BPF_CORE_READ(args, saddr));
|
|
|
|
|
- bpf_probe_read_kernel(stuple->raddr, sizeof(args->daddr), BPF_CORE_READ(args, daddr));
|
|
|
|
|
|
|
+ __u8 args_saddr[4];
|
|
|
|
|
+ __u8 args_daddr[4];
|
|
|
|
|
+ bpf_probe_read(args_saddr, sizeof(args_saddr), &args->saddr);
|
|
|
|
|
+ bpf_probe_read(args_daddr, sizeof(args_daddr), &args->daddr);
|
|
|
|
|
+ bpf_probe_read_kernel(stuple->laddr, sizeof(args_saddr), args_saddr);
|
|
|
|
|
+ bpf_probe_read_kernel(stuple->raddr, sizeof(args_daddr), args_daddr);
|
|
|
} else {
|
|
} else {
|
|
|
- bpf_probe_read_kernel(stuple->laddr, sizeof(args->saddr_v6), BPF_CORE_READ(args, saddr_v6));
|
|
|
|
|
- bpf_probe_read_kernel(stuple->raddr, sizeof(args->daddr_v6), BPF_CORE_READ(args, daddr_v6));
|
|
|
|
|
|
|
+ __u8 args_saddr_v6[16];
|
|
|
|
|
+ __u8 args_daddr_v6[16];
|
|
|
|
|
+ bpf_probe_read(args_saddr_v6, sizeof(args_saddr_v6), &args->saddr_v6);
|
|
|
|
|
+ bpf_probe_read(args_daddr_v6, sizeof(args_daddr_v6), &args->daddr_v6);
|
|
|
|
|
+ bpf_probe_read_kernel(stuple->laddr, sizeof(args_saddr_v6), args_saddr_v6);
|
|
|
|
|
+ bpf_probe_read_kernel(stuple->raddr, sizeof(args_daddr_v6), args_daddr_v6);
|
|
|
}
|
|
}
|
|
|
- stuple->lport = BPF_CORE_READ(args, sport);
|
|
|
|
|
- stuple->rport = BPF_CORE_READ(args, dport);
|
|
|
|
|
|
|
+ __u16 args_sport;
|
|
|
|
|
+ __u16 args_dport;
|
|
|
|
|
+ bpf_probe_read_kernel(&args_sport, sizeof(args_sport), &args->sport);
|
|
|
|
|
+ bpf_probe_read_kernel(&args_dport, sizeof(args_dport), &args->dport);
|
|
|
|
|
+ stuple->lport = args_sport;
|
|
|
|
|
+ stuple->rport = args_dport;
|
|
|
stuple->proto = IPPROTO_TCP;
|
|
stuple->proto = IPPROTO_TCP;
|
|
|
if (bpf_map_update_elem(&hash_tuples, stuple, &key, BPF_ANY))
|
|
if (bpf_map_update_elem(&hash_tuples, stuple, &key, BPF_ANY))
|
|
|
bpf_printk("WARNING: Failed to update client/server stuple for key %lx and pid %u\n", key, pid);
|
|
bpf_printk("WARNING: Failed to update client/server stuple for key %lx and pid %u\n", key, pid);
|
|
|
|
|
|
|
|
/* get old and new tcp state */
|
|
/* get old and new tcp state */
|
|
|
- tcp_state_old = BPF_CORE_READ(args, oldstate);
|
|
|
|
|
- tcp_state = BPF_CORE_READ(args, newstate);
|
|
|
|
|
-
|
|
|
|
|
|
|
+ int args_oldstate;
|
|
|
|
|
+ int args_newstate;
|
|
|
|
|
+ bpf_probe_read_kernel(&args_oldstate, sizeof(args_oldstate), &args->oldstate);
|
|
|
|
|
+ bpf_probe_read_kernel(&args_newstate, sizeof(args_newstate), &args->newstate);
|
|
|
|
|
+ tcp_state_old = args_oldstate;
|
|
|
|
|
+ tcp_state = args_newstate;
|
|
|
if (tcp_state_old == TCP_SYN_RECV && tcp_state == TCP_ESTABLISHED) {
|
|
if (tcp_state_old == TCP_SYN_RECV && tcp_state == TCP_ESTABLISHED) {
|
|
|
/* check if alternate key from application message exists already */
|
|
/* check if alternate key from application message exists already */
|
|
|
- key_alt = crc64(0, (const u8 *)stuple, sizeof(*stuple));
|
|
|
|
|
|
|
+ // key_alt = crc64(0, (const u8 *)stuple, sizeof(*stuple));
|
|
|
|
|
+ key_alt = 0;
|
|
|
sinfo = bpf_map_lookup_elem(&hash_socks, &key_alt);
|
|
sinfo = bpf_map_lookup_elem(&hash_socks, &key_alt);
|
|
|
if (!sinfo) {
|
|
if (!sinfo) {
|
|
|
sinfo = bpf_map_lookup_elem(&heap_sock, &zero);
|
|
sinfo = bpf_map_lookup_elem(&heap_sock, &zero);
|
|
@@ -519,9 +540,10 @@ static __always_inline int handle_tcp_event(void *ctx, const struct SOCK_EVENT_I
|
|
|
sinfo->tx_flags_map[0] = TCP_SYN | TCP_ACK;
|
|
sinfo->tx_flags_map[0] = TCP_SYN | TCP_ACK;
|
|
|
sinfo->tx_flags_map_cnt = 1;
|
|
sinfo->tx_flags_map_cnt = 1;
|
|
|
if (!bpf_map_update_elem(&hash_socks, &key, sinfo, BPF_ANY)) {
|
|
if (!bpf_map_update_elem(&hash_socks, &key, sinfo, BPF_ANY)) {
|
|
|
- if (debug_proc(sinfo->comm, NULL))
|
|
|
|
|
- bpf_printk("Prepared %s server socket for pid %u\n",
|
|
|
|
|
- sinfo->app_msg.cnt ? "new tcp" : "tcp application", pid);
|
|
|
|
|
|
|
+ // if (debug_proc(NULL, NULL))
|
|
|
|
|
+ // bpf_printk("Prepared %s server socket for pid %u\n",
|
|
|
|
|
+ // sinfo->app_msg.cnt ? "new tcp" : "tcp application", pid);
|
|
|
|
|
+ ;
|
|
|
} else
|
|
} else
|
|
|
bpf_printk("WARNING: Failed to prepare new tcp server socket for pid %u\n", pid);
|
|
bpf_printk("WARNING: Failed to prepare new tcp server socket for pid %u\n", pid);
|
|
|
} else if (tcp_state_old == TCP_CLOSE && tcp_state == TCP_SYN_SENT) {
|
|
} else if (tcp_state_old == TCP_CLOSE && tcp_state == TCP_SYN_SENT) {
|
|
@@ -578,7 +600,8 @@ static __always_inline int handle_tcp_event(void *ctx, const struct SOCK_EVENT_I
|
|
|
sinfo->ts_proc = 0;
|
|
sinfo->ts_proc = 0;
|
|
|
/* calculate alternate key for tuple since no kernel socket hash at this point */
|
|
/* calculate alternate key for tuple since no kernel socket hash at this point */
|
|
|
sinfo->app_msg.cnt = 0;
|
|
sinfo->app_msg.cnt = 0;
|
|
|
- key_alt = crc64(0, (const u8 *)stuple, sizeof(*stuple));
|
|
|
|
|
|
|
+ // key_alt = crc64(0, (const u8 *)stuple, sizeof(*stuple));
|
|
|
|
|
+ key_alt = 0;
|
|
|
if (!bpf_map_update_elem(&hash_socks, &key_alt, sinfo, BPF_ANY)) {
|
|
if (!bpf_map_update_elem(&hash_socks, &key_alt, sinfo, BPF_ANY)) {
|
|
|
// if (debug_proc(sinfo->comm, NULL))
|
|
// if (debug_proc(sinfo->comm, NULL))
|
|
|
bpf_printk("Prepared new tcp client socket for alt key %lx and pid %u\n", key_alt, pid);
|
|
bpf_printk("Prepared new tcp client socket for alt key %lx and pid %u\n", key_alt, pid);
|
|
@@ -587,13 +610,15 @@ static __always_inline int handle_tcp_event(void *ctx, const struct SOCK_EVENT_I
|
|
|
pid);
|
|
pid);
|
|
|
} else if (tcp_state_old == TCP_SYN_SENT && tcp_state == TCP_ESTABLISHED) {
|
|
} else if (tcp_state_old == TCP_SYN_SENT && tcp_state == TCP_ESTABLISHED) {
|
|
|
/* get alternate key */
|
|
/* get alternate key */
|
|
|
- key_alt = crc64(0, (const u8 *)stuple, sizeof(*stuple));
|
|
|
|
|
|
|
+ // key_alt = crc64(0, (const u8 *)stuple, sizeof(*stuple));
|
|
|
|
|
+ key_alt = 0;
|
|
|
sinfo = bpf_map_lookup_elem(&hash_socks, &key_alt);
|
|
sinfo = bpf_map_lookup_elem(&hash_socks, &key_alt);
|
|
|
if (!sinfo || (struct cw_net_sock*)sinfo->sock != sock) {
|
|
if (!sinfo || (struct cw_net_sock*)sinfo->sock != sock) {
|
|
|
/* try again without lport */
|
|
/* try again without lport */
|
|
|
u16 lport = stuple->lport;
|
|
u16 lport = stuple->lport;
|
|
|
stuple->lport = 0;
|
|
stuple->lport = 0;
|
|
|
- key_alt = crc64(0, (const u8 *)stuple, sizeof(*stuple));
|
|
|
|
|
|
|
+ // key_alt = crc64(0, (const u8 *)stuple, sizeof(*stuple));
|
|
|
|
|
+ key_alt = 0;
|
|
|
stuple->lport = lport;
|
|
stuple->lport = lport;
|
|
|
sinfo = bpf_map_lookup_elem(&hash_socks, &key_alt);
|
|
sinfo = bpf_map_lookup_elem(&hash_socks, &key_alt);
|
|
|
if (!sinfo || (struct cw_net_sock*)sinfo->sock != sock) {
|
|
if (!sinfo || (struct cw_net_sock*)sinfo->sock != sock) {
|
|
@@ -696,8 +721,9 @@ static __always_inline int handle_tcp_event(void *ctx, const struct SOCK_EVENT_I
|
|
|
|
|
|
|
|
/* update hash tables */
|
|
/* update hash tables */
|
|
|
if (!bpf_map_update_elem(&hash_socks, &key, sinfo, BPF_ANY)) {
|
|
if (!bpf_map_update_elem(&hash_socks, &key, sinfo, BPF_ANY)) {
|
|
|
- if (debug_proc(sinfo->comm, NULL))
|
|
|
|
|
- bpf_printk("Added new tcp server socket for key %lx, rport %u and pid %u\n", key, sinfo->rport, pid);
|
|
|
|
|
|
|
+ // if (debug_proc(sinfo->comm, NULL))
|
|
|
|
|
+ // bpf_printk("Added new tcp server socket for key %lx, rport %u and pid %u\n", key, sinfo->rport, pid);
|
|
|
|
|
+ ;
|
|
|
} else
|
|
} else
|
|
|
bpf_printk("WARNING: Failed to add new tcp server socket for key %lx and pid %u\n", key, pid);
|
|
bpf_printk("WARNING: Failed to add new tcp server socket for key %lx and pid %u\n", key, pid);
|
|
|
}
|
|
}
|
|
@@ -768,7 +794,7 @@ static __always_inline int handle_tcp_packet(void* ctx, struct cw_net_sock *sock
|
|
|
__u32 zero = 0;
|
|
__u32 zero = 0;
|
|
|
|
|
|
|
|
/* clean expired records */
|
|
/* clean expired records */
|
|
|
- expire_sock_records(ctx);
|
|
|
|
|
|
|
+ // expire_sock_records(ctx);//TODO 考虑优化此函数
|
|
|
|
|
|
|
|
/* try to get sock from buffer if zero */
|
|
/* try to get sock from buffer if zero */
|
|
|
if (!sock) {
|
|
if (!sock) {
|
|
@@ -852,7 +878,7 @@ static __always_inline int handle_tcp_packet(void* ctx, struct cw_net_sock *sock
|
|
|
isrx ? bpf_ntohs(ipv6hdr_payload_len) - doff * 4
|
|
isrx ? bpf_ntohs(ipv6hdr_payload_len) - doff * 4
|
|
|
: skb_len - doff * 4;
|
|
: skb_len - doff * 4;
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
/* get tcp flags */
|
|
/* get tcp flags */
|
|
|
__u16 tcp_flags = 0;
|
|
__u16 tcp_flags = 0;
|
|
|
ret = bpf_probe_read_kernel(&tcp_flags, sizeof(tcp_flags), &tcphdr->source + 5);
|
|
ret = bpf_probe_read_kernel(&tcp_flags, sizeof(tcp_flags), &tcphdr->source + 5);
|
|
@@ -877,13 +903,14 @@ static __always_inline int handle_tcp_packet(void* ctx, struct cw_net_sock *sock
|
|
|
tcp_flags |= TCP_ACK;
|
|
tcp_flags |= TCP_ACK;
|
|
|
if (urg)
|
|
if (urg)
|
|
|
tcp_flags |= TCP_URG;
|
|
tcp_flags |= TCP_URG;
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
/* adjust packet count per flag when gso segmented */
|
|
/* adjust packet count per flag when gso segmented */
|
|
|
short unsigned int skbinfo_gso_segs;
|
|
short unsigned int skbinfo_gso_segs;
|
|
|
bpf_probe_read_kernel(&skbinfo_gso_segs, sizeof(skbinfo_gso_segs), &skbinfo->gso_segs);
|
|
bpf_probe_read_kernel(&skbinfo_gso_segs, sizeof(skbinfo_gso_segs), &skbinfo->gso_segs);
|
|
|
__u16 gso_segs = skbinfo_gso_segs;
|
|
__u16 gso_segs = skbinfo_gso_segs;
|
|
|
__u64 ts_now = bpf_ktime_get_ns();
|
|
__u64 ts_now = bpf_ktime_get_ns();
|
|
|
if (isrx) {
|
|
if (isrx) {
|
|
|
|
|
+ // return 0;
|
|
|
sinfo->rx_ts = ts_now;
|
|
sinfo->rx_ts = ts_now;
|
|
|
if (!sinfo->rx_events++) {
|
|
if (!sinfo->rx_events++) {
|
|
|
sinfo->rx_ts_first = sinfo->rx_ts;
|
|
sinfo->rx_ts_first = sinfo->rx_ts;
|
|
@@ -916,13 +943,20 @@ static __always_inline int handle_tcp_packet(void* ctx, struct cw_net_sock *sock
|
|
|
u32 tcp_sock_copied_seq;
|
|
u32 tcp_sock_copied_seq;
|
|
|
bpf_probe_read_kernel(&tcp_sock_rcv_nxt, sizeof(tcp_sock_rcv_nxt), &tcp_sock->rcv_nxt);
|
|
bpf_probe_read_kernel(&tcp_sock_rcv_nxt, sizeof(tcp_sock_rcv_nxt), &tcp_sock->rcv_nxt);
|
|
|
bpf_probe_read_kernel(&tcp_sock_copied_seq, sizeof(tcp_sock_copied_seq), &tcp_sock->copied_seq);
|
|
bpf_probe_read_kernel(&tcp_sock_copied_seq, sizeof(tcp_sock_copied_seq), &tcp_sock->copied_seq);
|
|
|
|
|
+ // return 0;
|
|
|
if (sock_skc_state == TCP_LISTEN){
|
|
if (sock_skc_state == TCP_LISTEN){
|
|
|
u32 sock_sk_ack_backlog;
|
|
u32 sock_sk_ack_backlog;
|
|
|
bpf_probe_read_kernel(&sock_sk_ack_backlog, sizeof(sock_sk_ack_backlog), &sock->sk_ack_backlog);
|
|
bpf_probe_read_kernel(&sock_sk_ack_backlog, sizeof(sock_sk_ack_backlog), &sock->sk_ack_backlog);
|
|
|
sinfo->rx_packets_queued = sock_sk_ack_backlog;
|
|
sinfo->rx_packets_queued = sock_sk_ack_backlog;
|
|
|
}else if (tcp_sock_rcv_nxt > tcp_sock_copied_seq)
|
|
}else if (tcp_sock_rcv_nxt > tcp_sock_copied_seq)
|
|
|
sinfo->rx_packets_queued = tcp_sock_rcv_nxt - tcp_sock_copied_seq;
|
|
sinfo->rx_packets_queued = tcp_sock_rcv_nxt - tcp_sock_copied_seq;
|
|
|
- __u32 drop = BPF_CORE_READ(sock, sk_drops.counter);
|
|
|
|
|
|
|
+ // return 0;
|
|
|
|
|
+ atomic_t sock_sk_drops;
|
|
|
|
|
+ bpf_probe_read_kernel(&sock_sk_drops, sizeof(atomic_t), &sock->sk_drops);
|
|
|
|
|
+ __u32 drop_counter;
|
|
|
|
|
+ bpf_probe_read_kernel(&drop_counter, sizeof(drop_counter), &sock_sk_drops.counter);
|
|
|
|
|
+ // __u32 drop = BPF_CORE_READ(sock, sk_drops.counter);
|
|
|
|
|
+ __u32 drop = drop_counter;
|
|
|
if (drop > sinfo->rx_packets_drop[0])
|
|
if (drop > sinfo->rx_packets_drop[0])
|
|
|
sinfo->rx_packets_drop[1] = drop - sinfo->rx_packets_drop[0];
|
|
sinfo->rx_packets_drop[1] = drop - sinfo->rx_packets_drop[0];
|
|
|
__u32 tcp_sockreord_seen;
|
|
__u32 tcp_sockreord_seen;
|
|
@@ -930,14 +964,17 @@ static __always_inline int handle_tcp_packet(void* ctx, struct cw_net_sock *sock
|
|
|
__u32 reorder = tcp_sockreord_seen;
|
|
__u32 reorder = tcp_sockreord_seen;
|
|
|
if (reorder > sinfo->rx_packets_reorder[0])
|
|
if (reorder > sinfo->rx_packets_reorder[0])
|
|
|
sinfo->rx_packets_reorder[1] = reorder - sinfo->rx_packets_reorder[0];
|
|
sinfo->rx_packets_reorder[1] = reorder - sinfo->rx_packets_reorder[0];
|
|
|
|
|
+ // return 0;
|
|
|
__u8 skbinfo_nr_frags;
|
|
__u8 skbinfo_nr_frags;
|
|
|
bpf_probe_read_kernel(&skbinfo_nr_frags, sizeof(skbinfo_nr_frags), &skbinfo->nr_frags);
|
|
bpf_probe_read_kernel(&skbinfo_nr_frags, sizeof(skbinfo_nr_frags), &skbinfo->nr_frags);
|
|
|
sinfo->rx_packets_frag += skbinfo_nr_frags;
|
|
sinfo->rx_packets_frag += skbinfo_nr_frags;
|
|
|
if (data_len)
|
|
if (data_len)
|
|
|
sinfo->rx_bytes += data_len;
|
|
sinfo->rx_bytes += data_len;
|
|
|
|
|
+#pragma unroll
|
|
|
for (cnt = 0; cnt < SOCK_FLAGS_MAX; cnt++)
|
|
for (cnt = 0; cnt < SOCK_FLAGS_MAX; cnt++)
|
|
|
if (!sinfo->rx_flags_map[cnt] || sinfo->rx_flags_map[cnt] == tcp_flags)
|
|
if (!sinfo->rx_flags_map[cnt] || sinfo->rx_flags_map[cnt] == tcp_flags)
|
|
|
break;
|
|
break;
|
|
|
|
|
+ // return 0;
|
|
|
if (cnt < SOCK_FLAGS_MAX) {
|
|
if (cnt < SOCK_FLAGS_MAX) {
|
|
|
if (gso_segs > 1)
|
|
if (gso_segs > 1)
|
|
|
sinfo->rx_event[cnt] += gso_segs;
|
|
sinfo->rx_event[cnt] += gso_segs;
|
|
@@ -948,6 +985,7 @@ static __always_inline int handle_tcp_packet(void* ctx, struct cw_net_sock *sock
|
|
|
sinfo->rx_flags_map_cnt++;
|
|
sinfo->rx_flags_map_cnt++;
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
|
|
+ // return 0;
|
|
|
if (sinfo->family == AF_INET){
|
|
if (sinfo->family == AF_INET){
|
|
|
__u8 iphdr_ttl;
|
|
__u8 iphdr_ttl;
|
|
|
bpf_probe_read_kernel(&iphdr_ttl, sizeof(iphdr_ttl), &iphdr->ttl);
|
|
bpf_probe_read_kernel(&iphdr_ttl, sizeof(iphdr_ttl), &iphdr->ttl);
|
|
@@ -958,15 +996,27 @@ static __always_inline int handle_tcp_packet(void* ctx, struct cw_net_sock *sock
|
|
|
sinfo->rx_ttl += ipv6hdr_hop_limit;
|
|
sinfo->rx_ttl += ipv6hdr_hop_limit;
|
|
|
}
|
|
}
|
|
|
} else {
|
|
} else {
|
|
|
|
|
+ // return 0;
|
|
|
sinfo->tx_ts = ts_now;
|
|
sinfo->tx_ts = ts_now;
|
|
|
if (!sinfo->tx_events++) {
|
|
if (!sinfo->tx_events++) {
|
|
|
sinfo->tx_ts_first = sinfo->tx_ts;
|
|
sinfo->tx_ts_first = sinfo->tx_ts;
|
|
|
if (!sinfo->ts_first)
|
|
if (!sinfo->ts_first)
|
|
|
sinfo->ts_first = sinfo->tx_ts;
|
|
sinfo->ts_first = sinfo->tx_ts;
|
|
|
if (!sinfo->tx_ifindex) {
|
|
if (!sinfo->tx_ifindex) {
|
|
|
|
|
+ long unsigned int refdst_tmp;
|
|
|
|
|
+ // struct dst_entry *dst_entry =
|
|
|
|
|
+ // (struct dst_entry *)(BPF_CORE_READ(skb, _skb_refdst) & SKB_DST_PTRMASK);
|
|
|
|
|
+ bpf_probe_read_kernel(&refdst_tmp, sizeof(refdst_tmp), &(skb->_skb_refdst));
|
|
|
struct dst_entry *dst_entry =
|
|
struct dst_entry *dst_entry =
|
|
|
- (struct dst_entry *)(BPF_CORE_READ(skb, _skb_refdst) & SKB_DST_PTRMASK);
|
|
|
|
|
- sinfo->tx_ifindex = BPF_CORE_READ(dst_entry, dev, ifindex);
|
|
|
|
|
|
|
+ (struct dst_entry *)(refdst_tmp & SKB_DST_PTRMASK);
|
|
|
|
|
+ struct net_device *dev_tmp = NULL;
|
|
|
|
|
+ bpf_probe_read_kernel(&dev_tmp, sizeof(struct net_device*), &(dst_entry->dev));
|
|
|
|
|
+ if(!dev_tmp)
|
|
|
|
|
+ return 0;
|
|
|
|
|
+ int ifindex_tmp = 0;
|
|
|
|
|
+ bpf_probe_read_kernel(&ifindex_tmp, sizeof(ifindex_tmp), &(dev_tmp->ifindex));
|
|
|
|
|
+ // sinfo->tx_ifindex = BPF_CORE_READ(dst_entry, dev, ifindex);
|
|
|
|
|
+ sinfo->tx_ifindex = ifindex_tmp;
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
if (gso_segs > 1) {
|
|
if (gso_segs > 1) {
|
|
@@ -978,25 +1028,35 @@ static __always_inline int handle_tcp_packet(void* ctx, struct cw_net_sock *sock
|
|
|
sinfo->tx_data_packets++;
|
|
sinfo->tx_data_packets++;
|
|
|
sinfo->tx_packets++;
|
|
sinfo->tx_packets++;
|
|
|
}
|
|
}
|
|
|
|
|
+ // return 0;
|
|
|
// __u32 retrans = BPF_CORE_READ(tcp_sock, total_retrans);
|
|
// __u32 retrans = BPF_CORE_READ(tcp_sock, total_retrans);
|
|
|
- __u32 retrans = tcp_sock->total_retrans;
|
|
|
|
|
|
|
+ __u32 retrans_tmp;
|
|
|
|
|
+ bpf_probe_read_kernel(&retrans_tmp, sizeof(retrans_tmp), &(tcp_sock->total_retrans));
|
|
|
|
|
+ __u32 retrans = retrans_tmp;
|
|
|
if (retrans > sinfo->tx_packets_retrans[0])
|
|
if (retrans > sinfo->tx_packets_retrans[0])
|
|
|
sinfo->tx_packets_retrans[1] = retrans - sinfo->tx_packets_retrans[0];
|
|
sinfo->tx_packets_retrans[1] = retrans - sinfo->tx_packets_retrans[0];
|
|
|
// __u32 dups = BPF_CORE_READ(tcp_sock, dsack_dups);
|
|
// __u32 dups = BPF_CORE_READ(tcp_sock, dsack_dups);
|
|
|
- __u32 dups = tcp_sock->dsack_dups;
|
|
|
|
|
|
|
+ __u32 dups_tmp;
|
|
|
|
|
+ bpf_probe_read_kernel(&dups_tmp, sizeof(dups_tmp), &(tcp_sock->dsack_dups));
|
|
|
|
|
+ __u32 dups = dups_tmp;
|
|
|
if (dups > sinfo->tx_packets_dups[0])
|
|
if (dups > sinfo->tx_packets_dups[0])
|
|
|
sinfo->tx_packets_dups[1] = dups - sinfo->tx_packets_dups[0];
|
|
sinfo->tx_packets_dups[1] = dups - sinfo->tx_packets_dups[0];
|
|
|
if (data_len)
|
|
if (data_len)
|
|
|
sinfo->tx_bytes += data_len;
|
|
sinfo->tx_bytes += data_len;
|
|
|
// __u64 acked = BPF_CORE_READ(tcp_sock, bytes_acked);
|
|
// __u64 acked = BPF_CORE_READ(tcp_sock, bytes_acked);
|
|
|
- __u64 acked = tcp_sock->bytes_acked;
|
|
|
|
|
|
|
+ __u64 acked_tmp;
|
|
|
|
|
+ bpf_probe_read_kernel(&acked_tmp, sizeof(acked_tmp), &(tcp_sock->bytes_acked));
|
|
|
|
|
+ __u64 acked = acked_tmp;
|
|
|
if (acked > sinfo->tx_bytes_acked[0])
|
|
if (acked > sinfo->tx_bytes_acked[0])
|
|
|
sinfo->tx_bytes_acked[1] = acked - sinfo->tx_bytes_acked[0];
|
|
sinfo->tx_bytes_acked[1] = acked - sinfo->tx_bytes_acked[0];
|
|
|
// __u64 retransb = BPF_CORE_READ(tcp_sock, bytes_retrans);
|
|
// __u64 retransb = BPF_CORE_READ(tcp_sock, bytes_retrans);
|
|
|
- __u64 retransb = tcp_sock->bytes_retrans;
|
|
|
|
|
|
|
+ __u64 retransb_tmp;
|
|
|
|
|
+ bpf_probe_read_kernel(&retransb_tmp, sizeof(retransb_tmp), &(tcp_sock->bytes_retrans));
|
|
|
|
|
+ __u64 retransb = retransb_tmp;
|
|
|
if (retransb > sinfo->tx_bytes_retrans[0])
|
|
if (retransb > sinfo->tx_bytes_retrans[0])
|
|
|
sinfo->tx_bytes_retrans[1] = retransb - sinfo->tx_bytes_retrans[0];
|
|
sinfo->tx_bytes_retrans[1] = retransb - sinfo->tx_bytes_retrans[0];
|
|
|
-
|
|
|
|
|
|
|
+ // return 0;
|
|
|
|
|
+#pragma unroll
|
|
|
for (cnt = 0; cnt < SOCK_FLAGS_MAX; cnt++)
|
|
for (cnt = 0; cnt < SOCK_FLAGS_MAX; cnt++)
|
|
|
if (!sinfo->tx_flags_map[cnt] || sinfo->tx_flags_map[cnt] == tcp_flags)
|
|
if (!sinfo->tx_flags_map[cnt] || sinfo->tx_flags_map[cnt] == tcp_flags)
|
|
|
break;
|
|
break;
|
|
@@ -1010,14 +1070,19 @@ static __always_inline int handle_tcp_packet(void* ctx, struct cw_net_sock *sock
|
|
|
sinfo->tx_flags_map_cnt++;
|
|
sinfo->tx_flags_map_cnt++;
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
- sinfo->tx_rto = BPF_CORE_READ(tcp_sock, inet_conn.icsk_rto);
|
|
|
|
|
|
|
+ // return 0;
|
|
|
|
|
+ // sinfo->tx_rto = BPF_CORE_READ(tcp_sock, inet_conn.icsk_rto);
|
|
|
|
|
+ __u32 icsk_rto_tmp;
|
|
|
|
|
+ bpf_probe_read_kernel(&icsk_rto_tmp, sizeof(icsk_rto_tmp), &(tcp_sock->inet_conn.icsk_rto));
|
|
|
|
|
+ sinfo->tx_rto = icsk_rto_tmp;
|
|
|
// sinfo->rtt = BPF_CORE_READ(tcp_sock, srtt_us) * 1000 / 8;
|
|
// sinfo->rtt = BPF_CORE_READ(tcp_sock, srtt_us) * 1000 / 8;
|
|
|
- sinfo->rtt = tcp_sock->srtt_us * 1000 / 8;
|
|
|
|
|
|
|
+ u32 srtt_us_tmp;
|
|
|
|
|
+ bpf_probe_read_kernel(&srtt_us_tmp, sizeof(srtt_us_tmp), &(tcp_sock->srtt_us));
|
|
|
|
|
+ sinfo->rtt = srtt_us_tmp * 1000 / 8;
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
if (!bpf_map_update_elem(&hash_socks, &key, sinfo, BPF_ANY)) {
|
|
if (!bpf_map_update_elem(&hash_socks, &key, sinfo, BPF_ANY)) {
|
|
|
- if (debug_proc(sinfo->comm, NULL))
|
|
|
|
|
- bpf_printk("Updated tcp %s flags of socket %lx for pid %u", isrx ? "rx" : "tx", key, sinfo->pid);
|
|
|
|
|
|
|
+ // if (debug_proc(sinfo->comm, NULL))
|
|
|
|
|
+ // bpf_printk("Updated tcp %s flags of socket %lx for pid %u", isrx ? "rx" : "tx", key, sinfo->pid);
|
|
|
sq.key = key;
|
|
sq.key = key;
|
|
|
sq.ts = ts_now;
|
|
sq.ts = ts_now;
|
|
|
// if (!bpf_map_push_elem(&queue_socks, &sq, BPF_EXIST)) {
|
|
// if (!bpf_map_push_elem(&queue_socks, &sq, BPF_EXIST)) {
|
|
@@ -1029,34 +1094,35 @@ static __always_inline int handle_tcp_packet(void* ctx, struct cw_net_sock *sock
|
|
|
else
|
|
else
|
|
|
s->q_push_updated++;
|
|
s->q_push_updated++;
|
|
|
}
|
|
}
|
|
|
- if (debug_proc(sinfo->comm, NULL))
|
|
|
|
|
- bpf_printk("Pushed tcp key %lx with lport %u and rport %u to queue", key, sinfo->lport,
|
|
|
|
|
- sinfo->rport);
|
|
|
|
|
|
|
+ // if (debug_proc(sinfo->comm, NULL))
|
|
|
|
|
+ // bpf_printk("Pushed tcp key %lx with lport %u and rport %u to queue", key, sinfo->lport,
|
|
|
|
|
+ // sinfo->rport);
|
|
|
if (s) {
|
|
if (s) {
|
|
|
__u32 qlen =
|
|
__u32 qlen =
|
|
|
s->q_push_added + s->q_push_updated - s->q_pop_expired - s->q_pop_ignored - s->q_pop_missed;
|
|
s->q_push_added + s->q_push_updated - s->q_pop_expired - s->q_pop_ignored - s->q_pop_missed;
|
|
|
- if (debug_proc(sinfo->comm, NULL))
|
|
|
|
|
- bpf_printk("%lu records in queue", qlen);
|
|
|
|
|
|
|
+ // if (debug_proc(sinfo->comm, NULL))
|
|
|
|
|
+ // bpf_printk("%lu records in queue", qlen);
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
- } else
|
|
|
|
|
- bpf_printk("WARNING: Failed to update tcp %s flags of socket %lx for pid %u", isrx ? "rx" : "tx", key,
|
|
|
|
|
|
|
+ }
|
|
|
|
|
+ else
|
|
|
|
|
+ bpf_printk("WARNING: Failed to update tcp flags of socket %lx for pid %u", key,
|
|
|
sinfo->pid);
|
|
sinfo->pid);
|
|
|
|
|
|
|
|
- if (debug_proc(sinfo->comm, NULL)) {
|
|
|
|
|
- bpf_printk("HANDLE_TCP_PACKET %s", isrx ? "RX" : "TX");
|
|
|
|
|
- bpf_printk(" PID: %u KEY: %lx STATE: %u", sinfo->pid, key, sinfo->state);
|
|
|
|
|
- if (sinfo->family == AF_INET) {
|
|
|
|
|
- bpf_printk(" LOCAL: %pI4:%u", sinfo->laddr, sinfo->lport);
|
|
|
|
|
- bpf_printk(" REMOTE: %pI4:%u", sinfo->raddr, sinfo->rport);
|
|
|
|
|
- } else {
|
|
|
|
|
- bpf_printk(" LOCAL: %pI6c:%u", sinfo->laddr, sinfo->lport);
|
|
|
|
|
- bpf_printk(" REMOTE: %pI6c:%u", sinfo->raddr, sinfo->rport);
|
|
|
|
|
- }
|
|
|
|
|
- bpf_printk(" %s FLAGS: 0x%x EVENTS: %u", isrx ? "RX" : "TX", tcp_flags,
|
|
|
|
|
- isrx ? sinfo->rx_events : sinfo->tx_events);
|
|
|
|
|
- bpf_printk(" TOTAL: TX %lu RX %lu\n", sinfo->tx_bytes, sinfo->rx_bytes);
|
|
|
|
|
- }
|
|
|
|
|
|
|
+ // if (debug_proc(sinfo->comm, NULL)) {
|
|
|
|
|
+ // bpf_printk("HANDLE_TCP_PACKET %s", isrx ? "RX" : "TX");
|
|
|
|
|
+ // bpf_printk(" PID: %u KEY: %lx STATE: %u", sinfo->pid, key, sinfo->state);
|
|
|
|
|
+ // if (sinfo->family == AF_INET) {
|
|
|
|
|
+ // bpf_printk(" LOCAL: %pI4:%u", sinfo->laddr, sinfo->lport);
|
|
|
|
|
+ // bpf_printk(" REMOTE: %pI4:%u", sinfo->raddr, sinfo->rport);
|
|
|
|
|
+ // } else {
|
|
|
|
|
+ // bpf_printk(" LOCAL: %pI6c:%u", sinfo->laddr, sinfo->lport);
|
|
|
|
|
+ // bpf_printk(" REMOTE: %pI6c:%u", sinfo->raddr, sinfo->rport);
|
|
|
|
|
+ // }
|
|
|
|
|
+ // bpf_printk(" %s FLAGS: 0x%x EVENTS: %u", isrx ? "RX" : "TX", tcp_flags,
|
|
|
|
|
+ // isrx ? sinfo->rx_events : sinfo->tx_events);
|
|
|
|
|
+ // bpf_printk(" TOTAL: TX %lu RX %lu\n", sinfo->tx_bytes, sinfo->rx_bytes);
|
|
|
|
|
+ // }
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
return 0;
|
|
@@ -1099,11 +1165,8 @@ int kprobe_ip_local_out(struct pt_regs *ctx) {
|
|
|
struct sk_buff *skb = (struct sk_buff *)PT_REGS_PARM2(ctx);
|
|
struct sk_buff *skb = (struct sk_buff *)PT_REGS_PARM2(ctx);
|
|
|
// struct sk_buff *skb = (struct sk_buff *)ctx->si;
|
|
// struct sk_buff *skb = (struct sk_buff *)ctx->si;
|
|
|
// __u16 proto = BPF_CORE_READ(sock, sk_protocol);
|
|
// __u16 proto = BPF_CORE_READ(sock, sk_protocol);
|
|
|
- __u16 sc_proto;
|
|
|
|
|
- int ret;
|
|
|
|
|
-
|
|
|
|
|
- uintptr_t sk_protocol_offset = offsetof(struct cw_net_sock, sk_protocol);
|
|
|
|
|
- bpf_probe_read_kernel(&sc_proto, sizeof(sc_proto), ((uint8_t *)sock) + sk_protocol_offset);
|
|
|
|
|
|
|
+ __u16 sc_proto;
|
|
|
|
|
+ bpf_probe_read_kernel(&sc_proto, sizeof(sc_proto), &sock->sk_protocol);
|
|
|
__u16 proto = sc_proto;
|
|
__u16 proto = sc_proto;
|
|
|
if (proto != IPPROTO_TCP)
|
|
if (proto != IPPROTO_TCP)
|
|
|
return 0;
|
|
return 0;
|
|
@@ -1122,11 +1185,8 @@ int kprobe_ip6_xmit(struct pt_regs *ctx){
|
|
|
struct sk_buff *skb = (struct sk_buff *)PT_REGS_PARM2(ctx);
|
|
struct sk_buff *skb = (struct sk_buff *)PT_REGS_PARM2(ctx);
|
|
|
// struct sk_buff *skb = (struct sk_buff *)ctx->si;
|
|
// struct sk_buff *skb = (struct sk_buff *)ctx->si;
|
|
|
// __u16 proto = BPF_CORE_READ(sock, sk_protocol);
|
|
// __u16 proto = BPF_CORE_READ(sock, sk_protocol);
|
|
|
- __u16 sc_proto;
|
|
|
|
|
- int ret;
|
|
|
|
|
-
|
|
|
|
|
- uintptr_t sk_protocol_offset = offsetof(struct cw_net_sock, sk_protocol);
|
|
|
|
|
- bpf_probe_read_kernel(&sc_proto, sizeof(sc_proto), ((uint8_t *)sock) + sk_protocol_offset);
|
|
|
|
|
|
|
+ __u16 sc_proto;
|
|
|
|
|
+ bpf_probe_read_kernel(&sc_proto, sizeof(sc_proto), &sock->sk_protocol);
|
|
|
__u16 proto = sc_proto;
|
|
__u16 proto = sc_proto;
|
|
|
if (proto != IPPROTO_TCP)
|
|
if (proto != IPPROTO_TCP)
|
|
|
return 0;
|
|
return 0;
|
|
@@ -1180,28 +1240,58 @@ static __always_inline int handle_udp_event(void *ctx, const struct SOCK_EVENT_I
|
|
|
func = (char*)event->func;
|
|
func = (char*)event->func;
|
|
|
|
|
|
|
|
/* get ip or ipv6 and udp headers from socket buffer */
|
|
/* get ip or ipv6 and udp headers from socket buffer */
|
|
|
|
|
+ // return 0;
|
|
|
|
|
+
|
|
|
|
|
+ const char* skb_head;
|
|
|
|
|
+ unsigned int skb_end;
|
|
|
|
|
+ unsigned int skb_len;
|
|
|
|
|
+ __u16 skb_transport_header;
|
|
|
|
|
+ __u16 skb_network_header;
|
|
|
|
|
+ bpf_probe_read_kernel(&skb_head, sizeof(skb_head), &skb->head);
|
|
|
|
|
+ bpf_probe_read_kernel(&skb_end, sizeof(skb_end), &skb->end);
|
|
|
|
|
+ bpf_probe_read_kernel(&skb_len, sizeof(skb_len), &skb->len);
|
|
|
|
|
+ bpf_probe_read_kernel(&skb_transport_header, sizeof(skb_transport_header), &skb->transport_header);
|
|
|
|
|
+ bpf_probe_read_kernel(&skb_network_header, sizeof(skb_network_header), &skb->network_header);
|
|
|
if (family == AF_INET)
|
|
if (family == AF_INET)
|
|
|
- iphdr = (struct iphdr *)(BPF_CORE_READ(skb, head) + BPF_CORE_READ(skb, network_header));
|
|
|
|
|
|
|
+ // iphdr = (struct iphdr *)(BPF_CORE_READ(skb, head) + BPF_CORE_READ(skb, network_header));
|
|
|
|
|
+ iphdr = (struct iphdr *)(skb_head + skb_network_header);
|
|
|
else if (family == AF_INET6)
|
|
else if (family == AF_INET6)
|
|
|
- ipv6hdr = (struct ipv6hdr *)(BPF_CORE_READ(skb, head) + BPF_CORE_READ(skb, network_header));
|
|
|
|
|
|
|
+ // ipv6hdr = (struct ipv6hdr *)(BPF_CORE_READ(skb, head) + BPF_CORE_READ(skb, network_header));
|
|
|
|
|
+ ipv6hdr = (struct ipv6hdr *)(skb_head + skb_network_header);
|
|
|
else
|
|
else
|
|
|
return 0;
|
|
return 0;
|
|
|
- udphdr = (struct udphdr *)(BPF_CORE_READ(skb, head) + BPF_CORE_READ(skb, transport_header));
|
|
|
|
|
- data_len = isrx ? bpf_ntohs(BPF_CORE_READ(udphdr, len)) - sizeof(udphdr)
|
|
|
|
|
- : BPF_CORE_READ(skb, len) -
|
|
|
|
|
- (BPF_CORE_READ(skb, transport_header) - BPF_CORE_READ(skb, network_header)) - sizeof(udphdr);
|
|
|
|
|
|
|
+ // udphdr = (struct udphdr *)(BPF_CORE_READ(skb, head) + BPF_CORE_READ(skb, transport_header));
|
|
|
|
|
+ udphdr = (struct udphdr *)(skb_head + skb_transport_header);
|
|
|
|
|
+ __be16 udphdr_len;
|
|
|
|
|
+ __be16 udphdr_dest;
|
|
|
|
|
+ __be16 udphdr_source;
|
|
|
|
|
+ bpf_probe_read_kernel(&udphdr_len, sizeof(udphdr_len), &udphdr->len);
|
|
|
|
|
+ bpf_probe_read_kernel(&udphdr_dest, sizeof(udphdr_dest), &udphdr->dest);
|
|
|
|
|
+ bpf_probe_read_kernel(&udphdr_source, sizeof(udphdr_source), &udphdr->source);
|
|
|
|
|
+ // data_len = isrx ? bpf_ntohs(BPF_CORE_READ(udphdr, len)) - sizeof(udphdr)
|
|
|
|
|
+ // : BPF_CORE_READ(skb, len) -
|
|
|
|
|
+ // (BPF_CORE_READ(skb, transport_header) - BPF_CORE_READ(skb, network_header)) - sizeof(udphdr);
|
|
|
|
|
+ data_len = isrx ? bpf_ntohs(udphdr_len) - sizeof(udphdr)
|
|
|
|
|
+ : skb_len - (skb_transport_header - skb_network_header) - sizeof(udphdr);
|
|
|
|
|
|
|
|
/* get local and remote port */
|
|
/* get local and remote port */
|
|
|
if (isrx) {
|
|
if (isrx) {
|
|
|
- lport = bpf_ntohs(BPF_CORE_READ(udphdr, dest));
|
|
|
|
|
- rport = bpf_ntohs(BPF_CORE_READ(udphdr, source));
|
|
|
|
|
|
|
+ // lport = bpf_ntohs(BPF_CORE_READ(udphdr, dest));
|
|
|
|
|
+ lport = bpf_ntohs(udphdr_dest);
|
|
|
|
|
+ // rport = bpf_ntohs(BPF_CORE_READ(udphdr, source));
|
|
|
|
|
+ rport = bpf_ntohs(udphdr_source);
|
|
|
} else {
|
|
} else {
|
|
|
lport = event->lport;
|
|
lport = event->lport;
|
|
|
rport = event->rport;
|
|
rport = event->rport;
|
|
|
}
|
|
}
|
|
|
/* get gso kernel segments to adjust packet counters */
|
|
/* get gso kernel segments to adjust packet counters */
|
|
|
- skbinfo = (struct skb_shared_info *)(BPF_CORE_READ(skb, head) + BPF_CORE_READ(skb, end));
|
|
|
|
|
- gso_segs = BPF_CORE_READ(skbinfo, gso_segs);
|
|
|
|
|
|
|
+ // skbinfo = (struct skb_shared_info *)(BPF_CORE_READ(skb, head) + BPF_CORE_READ(skb, end));
|
|
|
|
|
+ skbinfo = (struct skb_shared_info *)(skb_head + skb_end);
|
|
|
|
|
+ // gso_segs = BPF_CORE_READ(skbinfo, gso_segs);
|
|
|
|
|
+ short unsigned int skbinfo_gso_segs;
|
|
|
|
|
+ bpf_probe_read_kernel(&skbinfo_gso_segs, sizeof(skbinfo_gso_segs), &skbinfo->gso_segs);
|
|
|
|
|
+ gso_segs = skbinfo_gso_segs;
|
|
|
|
|
+
|
|
|
|
|
|
|
|
/* ignore network events of other process caused from self to prevent amplification loops */
|
|
/* ignore network events of other process caused from self to prevent amplification loops */
|
|
|
// bpf_probe_read_kernel_str(comm, sizeof(comm), BPF_CORE_READ(task, mm, exe_file, f_path.dentry, d_name.name));
|
|
// bpf_probe_read_kernel_str(comm, sizeof(comm), BPF_CORE_READ(task, mm, exe_file, f_path.dentry, d_name.name));
|
|
@@ -1242,7 +1332,7 @@ static __always_inline int handle_udp_event(void *ctx, const struct SOCK_EVENT_I
|
|
|
// }
|
|
// }
|
|
|
// }
|
|
// }
|
|
|
/* clean expired records */
|
|
/* clean expired records */
|
|
|
- expire_sock_records(ctx);
|
|
|
|
|
|
|
+ // expire_sock_records(ctx);
|
|
|
|
|
|
|
|
/* lookup and update socket */
|
|
/* lookup and update socket */
|
|
|
// key = KEY_SOCK(BPF_CORE_READ(sock, __sk_common.skc_hash));
|
|
// key = KEY_SOCK(BPF_CORE_READ(sock, __sk_common.skc_hash));
|
|
@@ -1369,8 +1459,14 @@ static __always_inline int handle_udp_event(void *ctx, const struct SOCK_EVENT_I
|
|
|
sinfo->proto = IPPROTO_UDP;
|
|
sinfo->proto = IPPROTO_UDP;
|
|
|
// sinfo->state = BPF_CORE_READ(sock, __sk_common.skc_state);
|
|
// sinfo->state = BPF_CORE_READ(sock, __sk_common.skc_state);
|
|
|
if (family == AF_INET) {
|
|
if (family == AF_INET) {
|
|
|
- __u32 laddr = isrx ? BPF_CORE_READ(iphdr, daddr) : BPF_CORE_READ(iphdr, saddr);
|
|
|
|
|
- __u32 raddr = isrx ? BPF_CORE_READ(iphdr, saddr) : BPF_CORE_READ(iphdr, daddr);
|
|
|
|
|
|
|
+ __be32 iphdr_daddr;
|
|
|
|
|
+ __be32 iphdr_saddr;
|
|
|
|
|
+ bpf_probe_read_kernel(&iphdr_daddr, sizeof(iphdr_daddr), &iphdr->daddr);
|
|
|
|
|
+ bpf_probe_read_kernel(&iphdr_saddr, sizeof(iphdr_saddr), &iphdr->saddr);
|
|
|
|
|
+ // __u32 laddr = isrx ? BPF_CORE_READ(iphdr, daddr) : BPF_CORE_READ(iphdr, saddr);
|
|
|
|
|
+ // __u32 raddr = isrx ? BPF_CORE_READ(iphdr, saddr) : BPF_CORE_READ(iphdr, daddr);
|
|
|
|
|
+ __u32 laddr = isrx ? iphdr_daddr : iphdr_saddr;
|
|
|
|
|
+ __u32 raddr = isrx ? iphdr_saddr : iphdr_daddr;
|
|
|
bpf_probe_read_kernel(sinfo->laddr, sizeof(laddr), &laddr);
|
|
bpf_probe_read_kernel(sinfo->laddr, sizeof(laddr), &laddr);
|
|
|
bpf_probe_read_kernel(sinfo->raddr, sizeof(raddr), &raddr);
|
|
bpf_probe_read_kernel(sinfo->raddr, sizeof(raddr), &raddr);
|
|
|
} else {
|
|
} else {
|
|
@@ -1441,6 +1537,7 @@ static __always_inline int handle_udp_event(void *ctx, const struct SOCK_EVENT_I
|
|
|
/* nullify flags unused for UDP */
|
|
/* nullify flags unused for UDP */
|
|
|
sinfo->tx_events = 0;
|
|
sinfo->tx_events = 0;
|
|
|
sinfo->rx_events = 0;
|
|
sinfo->rx_events = 0;
|
|
|
|
|
+#pragma unroll
|
|
|
for (cnt = 0; cnt < SOCK_FLAGS_MAX; cnt++) {
|
|
for (cnt = 0; cnt < SOCK_FLAGS_MAX; cnt++) {
|
|
|
sinfo->tx_flags_map[cnt] = 0;
|
|
sinfo->tx_flags_map[cnt] = 0;
|
|
|
sinfo->rx_flags_map[cnt] = 0;
|
|
sinfo->rx_flags_map[cnt] = 0;
|
|
@@ -1541,9 +1638,8 @@ int kprobe_skb_consume_udp(struct pt_regs *ctx) {
|
|
|
int len = 3;//TODO
|
|
int len = 3;//TODO
|
|
|
u16 family;
|
|
u16 family;
|
|
|
|
|
|
|
|
- __be16 tmp_protocol;
|
|
|
|
|
- uintptr_t sk_protocol_offset = offsetof(struct sk_buff, protocol);
|
|
|
|
|
- bpf_probe_read_kernel(&tmp_protocol, sizeof(tmp_protocol), ((uint8_t *)skb) + sk_protocol_offset);
|
|
|
|
|
|
|
+ __be16 tmp_protocol;
|
|
|
|
|
+ bpf_probe_read_kernel(&tmp_protocol, sizeof(tmp_protocol), &skb->protocol);
|
|
|
// if (BPF_CORE_READ(skb, protocol) == bpf_htons(ETH_P_IP))
|
|
// if (BPF_CORE_READ(skb, protocol) == bpf_htons(ETH_P_IP))
|
|
|
if (tmp_protocol == bpf_htons(ETH_P_IP))
|
|
if (tmp_protocol == bpf_htons(ETH_P_IP))
|
|
|
family = AF_INET;
|
|
family = AF_INET;
|
|
@@ -1677,6 +1773,7 @@ int handle_skb(struct __sk_buff *skb) {
|
|
|
__u8 nexthdr;
|
|
__u8 nexthdr;
|
|
|
|
|
|
|
|
bpf_skb_load_bytes(skb, ETH_HLEN + offsetof(struct ipv6hdr, nexthdr), &nexthdr, 1);
|
|
bpf_skb_load_bytes(skb, ETH_HLEN + offsetof(struct ipv6hdr, nexthdr), &nexthdr, 1);
|
|
|
|
|
+#pragma unroll
|
|
|
for (cntl = 0; cntl < 8; cntl++) {
|
|
for (cntl = 0; cntl < 8; cntl++) {
|
|
|
if (nexthdr == IPV6_NH_TCP)
|
|
if (nexthdr == IPV6_NH_TCP)
|
|
|
break;
|
|
break;
|
|
@@ -1709,7 +1806,7 @@ int handle_skb(struct __sk_buff *skb) {
|
|
|
bpf_skb_load_bytes(skb, ETH_HLEN + offsetof(struct ipv6hdr, saddr), isrx ? raddr : laddr, IP_ADDR_LEN_MAX);
|
|
bpf_skb_load_bytes(skb, ETH_HLEN + offsetof(struct ipv6hdr, saddr), isrx ? raddr : laddr, IP_ADDR_LEN_MAX);
|
|
|
bpf_skb_load_bytes(skb, ETH_HLEN + offsetof(struct ipv6hdr, daddr), isrx ? laddr : raddr, IP_ADDR_LEN_MAX);
|
|
bpf_skb_load_bytes(skb, ETH_HLEN + offsetof(struct ipv6hdr, daddr), isrx ? laddr : raddr, IP_ADDR_LEN_MAX);
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
|
|
+ // return 0;
|
|
|
/* get tcp source and dest ports */
|
|
/* get tcp source and dest ports */
|
|
|
tcphdr_ofs = ETH_HLEN + iphdr_len;
|
|
tcphdr_ofs = ETH_HLEN + iphdr_len;
|
|
|
bpf_skb_load_bytes(skb, tcphdr_ofs + offsetof(struct tcphdr, ack_seq) + 4, &tcphdr_len, sizeof(tcphdr_len));
|
|
bpf_skb_load_bytes(skb, tcphdr_ofs + offsetof(struct tcphdr, ack_seq) + 4, &tcphdr_len, sizeof(tcphdr_len));
|
|
@@ -1725,7 +1822,7 @@ int handle_skb(struct __sk_buff *skb) {
|
|
|
return skb->len;
|
|
return skb->len;
|
|
|
if (data_len < APP_MSG_LEN_MIN)
|
|
if (data_len < APP_MSG_LEN_MIN)
|
|
|
return skb->len;
|
|
return skb->len;
|
|
|
-
|
|
|
|
|
|
|
+ // return 0;
|
|
|
/* check data length and dns port */
|
|
/* check data length and dns port */
|
|
|
lport = bpf_ntohs(isrx ? dport : sport);
|
|
lport = bpf_ntohs(isrx ? dport : sport);
|
|
|
rport = bpf_ntohs(isrx ? sport : dport);
|
|
rport = bpf_ntohs(isrx ? sport : dport);
|
|
@@ -1749,20 +1846,30 @@ int handle_skb(struct __sk_buff *skb) {
|
|
|
bpf_printk("WARNING: Failed to allocate new tuple for application message\n");
|
|
bpf_printk("WARNING: Failed to allocate new tuple for application message\n");
|
|
|
return skb->len;
|
|
return skb->len;
|
|
|
}
|
|
}
|
|
|
- bpf_probe_read_kernel(stuple->laddr, sizeof(stuple->laddr), laddr);
|
|
|
|
|
- bpf_probe_read_kernel(stuple->raddr, sizeof(stuple->raddr), raddr);
|
|
|
|
|
|
|
+ // bpf_probe_read_kernel(stuple->laddr, sizeof(stuple->laddr), laddr);
|
|
|
|
|
+ // bpf_probe_read_kernel(stuple->raddr, sizeof(stuple->raddr), raddr);
|
|
|
|
|
+#pragma unroll
|
|
|
|
|
+ for (int i = 0; i < IP_ADDR_LEN_MAX; i++) {
|
|
|
|
|
+ stuple->laddr[i] = laddr[i];
|
|
|
|
|
+ }
|
|
|
|
|
+#pragma unroll
|
|
|
|
|
+ for (int i = 0; i < IP_ADDR_LEN_MAX; i++) {
|
|
|
|
|
+ stuple->raddr[i] = raddr[i];
|
|
|
|
|
+ }
|
|
|
stuple->lport = lport;
|
|
stuple->lport = lport;
|
|
|
stuple->rport = rport;
|
|
stuple->rport = rport;
|
|
|
stuple->proto = proto;
|
|
stuple->proto = proto;
|
|
|
pkey = bpf_map_lookup_elem(&hash_tuples, stuple);
|
|
pkey = bpf_map_lookup_elem(&hash_tuples, stuple);
|
|
|
if (pkey) {
|
|
if (pkey) {
|
|
|
- bpf_probe_read_kernel(&key, sizeof(key), pkey);
|
|
|
|
|
|
|
+ // bpf_probe_read_kernel(&key, sizeof(key), pkey);
|
|
|
|
|
+ key = *pkey;
|
|
|
sinfo = bpf_map_lookup_elem(&hash_socks, &key);
|
|
sinfo = bpf_map_lookup_elem(&hash_socks, &key);
|
|
|
if (!sinfo) {
|
|
if (!sinfo) {
|
|
|
bpf_printk("WARNING: Failed to lookup tcp socket key %lx for lport %u and rport %u\n", key, lport, rport);
|
|
bpf_printk("WARNING: Failed to lookup tcp socket key %lx for lport %u and rport %u\n", key, lport, rport);
|
|
|
return skb->len;
|
|
return skb->len;
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
|
|
+ // return 0;
|
|
|
if (!sinfo) {
|
|
if (!sinfo) {
|
|
|
if(!isrx)
|
|
if(!isrx)
|
|
|
return skb->len;
|
|
return skb->len;
|
|
@@ -1783,8 +1890,16 @@ int handle_skb(struct __sk_buff *skb) {
|
|
|
sinfo->family = family;
|
|
sinfo->family = family;
|
|
|
sinfo->role = ROLE_TCP_SERVER;
|
|
sinfo->role = ROLE_TCP_SERVER;
|
|
|
sinfo->proto = IPPROTO_TCP;
|
|
sinfo->proto = IPPROTO_TCP;
|
|
|
- bpf_probe_read_kernel(sinfo->laddr, sizeof(stuple->laddr), laddr);
|
|
|
|
|
- bpf_probe_read_kernel(sinfo->raddr, sizeof(stuple->raddr), raddr);
|
|
|
|
|
|
|
+ // bpf_probe_read_kernel(sinfo->laddr, sizeof(stuple->laddr), laddr);
|
|
|
|
|
+ // bpf_probe_read_kernel(sinfo->raddr, sizeof(stuple->raddr), raddr);
|
|
|
|
|
+#pragma unroll
|
|
|
|
|
+ for (int i = 0; i < IP_ADDR_LEN_MAX; i++) {
|
|
|
|
|
+ stuple->laddr[i] = laddr[i];
|
|
|
|
|
+ }
|
|
|
|
|
+#pragma unroll
|
|
|
|
|
+ for (int i = 0; i < IP_ADDR_LEN_MAX; i++) {
|
|
|
|
|
+ stuple->raddr[i] = raddr[i];
|
|
|
|
|
+ }
|
|
|
stuple->lport = lport;
|
|
stuple->lport = lport;
|
|
|
stuple->rport = rport;
|
|
stuple->rport = rport;
|
|
|
sinfo->rx_ts = bpf_ktime_get_ns();
|
|
sinfo->rx_ts = bpf_ktime_get_ns();
|
|
@@ -1792,7 +1907,8 @@ int handle_skb(struct __sk_buff *skb) {
|
|
|
sinfo->ts_first = sinfo->rx_ts;
|
|
sinfo->ts_first = sinfo->rx_ts;
|
|
|
sinfo->tx_ts_first = sinfo->tx_ts = 0;
|
|
sinfo->tx_ts_first = sinfo->tx_ts = 0;
|
|
|
sinfo->app_msg.cnt = 0;
|
|
sinfo->app_msg.cnt = 0;
|
|
|
- key = crc64(0, (const u8 *)stuple, sizeof(*stuple));
|
|
|
|
|
|
|
+ // key = crc64(0, (const u8 *)stuple, sizeof(*stuple));
|
|
|
|
|
+ key = 0;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
/* capture application message */
|
|
/* capture application message */
|
root